* RE: Recording user commands (from RE: Linux-audit Digest, Vol 31, Issue 12) [not found] <20070426160026.DFC3B73253@hormel.redhat.com> @ 2007-04-27 20:05 ` Taylor_Tad 2007-04-27 20:10 ` Steve Grubb 2007-04-27 20:28 ` Paul Moore 0 siblings, 2 replies; 4+ messages in thread From: Taylor_Tad @ 2007-04-27 20:05 UTC (permalink / raw) To: linux-audit -----Original Message----- While a little more verbose than one might like, couldn't you audit exec() system calls? That would certainly capture all the commands issued from a shell. However, you might want to only audit successful exec()s. As I recall from auditing *nix systems years ago, shells tend to just start trying to execute a command name along your path and if it fails, it tries again with the next path (for example, the command doesn't exist in /usr/local/bin, let's try /usr/bin and then /usr/sbin, etc.) This would pick up other exec()s as well, but you should be able to generate reports to find the ones that were issued by a shell. Just a thought. --Tad Taylor Message: 3 Date: Thu, 26 Apr 2007 11:10:05 -0400 From: Steve Grubb <sgrubb@redhat.com> Subject: Re: Recording user command ? To: linux-audit@redhat.com Message-ID: <200704261110.05440.sgrubb@redhat.com> Content-Type: text/plain; charset="iso-8859-1" On Thursday 26 April 2007 10:32, Gavin White wrote: > In addition to recording system calls, file activity etc, I would like > to record issued commands, ie. anything typed into a shell by a user. > > Is this a reasonable thing to do with auditd? Is it possible? Well, there are 2 kinds of users, root and everyone else. What everyone else does cannot be logged by the session they are running in because it does not have enough privileges to log to the audit system. For the root user, it has enough privileges to log. We are working on a solution for this problem. I think most security targets are only interested in actions performed by the root user since they can affect the machine in many ways. So, as it stands today, it can't be done with the audit system. We hope to have something that starts to address the problem soon. -Steve ------------------------------ -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit End of Linux-audit Digest, Vol 31, Issue 12 ******************************************* ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Recording user commands (from RE: Linux-audit Digest, Vol 31, Issue 12) 2007-04-27 20:05 ` Recording user commands (from RE: Linux-audit Digest, Vol 31, Issue 12) Taylor_Tad @ 2007-04-27 20:10 ` Steve Grubb 2007-04-27 20:28 ` Paul Moore 1 sibling, 0 replies; 4+ messages in thread From: Steve Grubb @ 2007-04-27 20:10 UTC (permalink / raw) To: linux-audit; +Cc: Taylor_Tad On Friday 27 April 2007 16:05, Taylor_Tad@emc.com wrote: > While a little more verbose than one might like, couldn't you audit > exec() system calls? Yes, you could certainly do that. But as you said, it would be more data than you would want. If you had a policy of no root logins, you could define a rule something like this: -a always,entry -S execve -F 'auid>=500' And that should cut it down to the commands run by real users and not daemons. >However, you might want to only audit successful exec()s. I don't think execve returns in the normal sense when successful. -Steve ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Recording user commands (from RE: Linux-audit Digest, Vol 31, Issue 12) 2007-04-27 20:05 ` Recording user commands (from RE: Linux-audit Digest, Vol 31, Issue 12) Taylor_Tad 2007-04-27 20:10 ` Steve Grubb @ 2007-04-27 20:28 ` Paul Moore 2007-04-27 21:38 ` Valdis.Kletnieks 1 sibling, 1 reply; 4+ messages in thread From: Paul Moore @ 2007-04-27 20:28 UTC (permalink / raw) To: linux-audit; +Cc: Taylor_Tad On Friday, April 27 2007 4:05:28 pm Taylor_Tad@emc.com wrote: > While a little more verbose than one might like, couldn't you audit > exec() system calls? That would certainly capture all the commands > issued from a shell. I believe that would miss all of the shell built-in commands though, wouldn't it? Not sure if we would care, but you can do some interesting things with the built-ins ... (although maybe you could capture that through additional audit watches/syscalls/etc.) -- paul moore linux security @ hp ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Recording user commands (from RE: Linux-audit Digest, Vol 31, Issue 12) 2007-04-27 20:28 ` Paul Moore @ 2007-04-27 21:38 ` Valdis.Kletnieks 0 siblings, 0 replies; 4+ messages in thread From: Valdis.Kletnieks @ 2007-04-27 21:38 UTC (permalink / raw) To: Paul Moore; +Cc: Taylor_Tad, linux-audit [-- Attachment #1.1: Type: text/plain, Size: 448 bytes --] On Fri, 27 Apr 2007 16:28:17 EDT, Paul Moore said: > I believe that would miss all of the shell built-in commands though, wouldn't > it? Not sure if we would care, but you can do some interesting things with > the built-ins ... (although maybe you could capture that through additional > audit watches/syscalls/etc.) # perl -e 'while (<>) {eval $_;}' Doing proper auditing of what a user is doing is harder than it looks. Have a nice day. :) [-- Attachment #1.2: Type: application/pgp-signature, Size: 226 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-04-27 21:39 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20070426160026.DFC3B73253@hormel.redhat.com>
2007-04-27 20:05 ` Recording user commands (from RE: Linux-audit Digest, Vol 31, Issue 12) Taylor_Tad
2007-04-27 20:10 ` Steve Grubb
2007-04-27 20:28 ` Paul Moore
2007-04-27 21:38 ` Valdis.Kletnieks
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.